August 22, 2011, 1:13 PM — Last week, while upgrading the openssh version on his employer's web servers, Michiel Vancoillie noticed that malware-infected, hacker-controlled bots had tried to log in to his servers more than 20,000 times during one two-day period.
That's huge for a tiny web design place like NinetyNine, Whose greatest claim to fame is a free app free search tool designed to search and manage ASDoc files generated by Adobe's Flex web application development toolset.
There are plenty of botnets and plenty of malware, not all of which are designed for on-by-one server penetrations this one was apparently trying to accomplish. Most botnet operations are much larger-scale, especially internationally.
The specific techniques and weak spots this attempt probed are interesting, though.
Looking at the server logs, Vancoilliehe looked at the login attempts, though, he discovered two interesting things: first, the vast bulk of login attempts were made with invalid user names – flat guesses by attacking bots about what might or might not be a valid login.
The invalid usernames were repetitive, and kind of doofy, too: minecraft, eggbreaker2 ,batman ,sir , queen, elmo, frenzy, christmas, idiot, birdseed, einstein123, breast, knight, cookie, eminem.
Second, most of the attempts made with valid names didn't use actual names; they aimed at services that might run on a the server the bots were attacking and, if they were, might have default access rights that used the names of the apps for authentication: Root, postgres, ftp, bin, mysql, proxy,uucp, mail, news postfix, daemon, backup, nobody, IP, list, gnats, man, irc, sys, games.
Sounds silly, but a lot of apps actually do come with default settings for usernames and security that are simple enough for brand new users to remember. The defaults are passed out in documentation and supplied on support forums.
It's not hard for malware writers to get ahold of and paste them into a list of possible ID/password combinations to be used against the target machine.
By far the most common term used was Root, which made up 18.8 percent of all attempts, and more than 80 percent of attempts using valid names.
The very distant No. 2 choice was Postgres, with about 17 percent of the existing names segment.
Bots used invalid names (random guesses) 77 percent of the time, but stuck with the practice of going for names that reflected generic functions as often as possible.
